Input validation error in gotenberg - CVE-2026-40893
Published: May 5, 2026
gotenberg
Detailed vulnerability description
The vulnerability allows a remote attacker to rename or move files and cause a denial of service.
The vulnerability exists due to improper input validation in the ExifTool metadata tag filtering logic when handling metadata fields in HTTP requests. A remote attacker can send a specially crafted request with group-prefixed tag names to rename or move files and cause a denial of service.
Every endpoint that accepts the metadata field is affected, and ExifTool treats group-prefixed tag names such as System:FileName and System:Directory as equivalent to the blocked bare tag names.